A few people I know recently asked me about the “heartbleed” bug, and how it impacts them. Here’s an overview for non-technical folks.
What is Heartbleed? It must be terrifying, with a name like that!
First of all, Heartbleed is NOT: a virus, a medical condition, or a nuclear silo in Kansas. Your computer cannot be “infected” by Heartbleed (and anyone who says differently is selling you something).
Heartbleed IS a bug in a piece of security software (a.k.a., a “vulnerability” or an “exploit”) that provides infrastructure on the internet. More than likely, your email, your bank, or your instant messaging service use a component that was vulnerable to Heartbleed.
At the end of this post I’ll detail some steps you can take to protect yourself, ranked in order of paranoia level. If you’re the impatient type, just jump down there now.
Who is affected?
UPDATE: Mashable has a fantastic post that summarizes which top internet services were vulnerable and need a password reset.
(Thanks to Emma B. Dalton for the link)
Everyone using a particular piece of software called “OpenSSL” was vulnerable, except for some companies or schools that haven’t applied a security patch since 2011 (in which case, there are plenty of other attacks they might have been vulnerable to in the meantime).
You might recognize some of these names: Google, Facebook, the IRS, the Government of Australia, and so on.
WAS vulnerable? Does that mean I’m protected now?
I say “was” vulnerable because system administrators and cybersecurity heroes around the world have been scrambling to fix this since the vulnerability was made public. Thanks to their efforts, a fix was released the same day that the vulnerability was announced.
However, that fix still has to be installed on every affected server or machine. How quickly it gets installed depends on the particular company — just because your bank already applied the fix doesn’t necessarily mean that your credit card company or email provider has done the same.
The biggest problem with Heartbleed is that this vulnerability has existed “in the wild” for about 2 years. So criminals might have been exploiting it this entire time; we just don’t know. My personal opinion is that if it had been used broadly by cybercriminals, they would have been detected much sooner. Anyone who knew about this for the past 2 years (and exploited it) probably kept it to themselves, and used it selectively.
Where can I learn more?
If you’re interested in the technical details, heartbleed.com has a much more in-depth description.
Can’t you give me just a little technical jargon?
Fine. Here are some interesting technical details:
- Heartbleed allows an attacker to get the certificate key that secures a site. Theoretically, they could use this to decrypt any traffic they’ve been accumulating from that site from the past two years.
- What to worry about: army orders, tax forms, anything else that cyberspies might try to track for multiple years.
- What not to worry about: your Instagram photos, prescriptions list, or personal browsing history.
- Services that have “perfect-forward secrecy” are protected from retroactive attacks (where a hacker tries to decrypt the data they’ve collected for the past two years). Unfortunately, very few services have used that to-date. There will probably be greatly renewed interest in that going forward, though.
- Services that use multiple layers of distributed encryption — such as my favorite, LastPass — are safe. Again, very few services currently use multiple encryption layers, but I hope more of them will soon.
What do I do now?
First of all, you don’t have to stop using the internet forever. But I’m not planning to type my password into my bank account or credit card company until I hear that they’ve fixed the issue.
If there’s a site that “remembers” you were logged in already (e.g., Facebook, Gmail, etc.) then there’s no need to log out of the site — that won’t provide any extra protection.
For our purposes, it’s pretty safe to assume that the “window of vulnerability’ (the amount of time a hacker has to steal your information) basically started on Monday, 2014-04-07. So although you don’t HAVE to go Defcon 1 on your personal data, this is still a great opportunity for you to revisit how you’re protecting your important digital assets, like passwords.
Depending on your paranoia level, here’s what I would recommend. All of these steps are free, it just depends on the amount of time you want to invest.
- Make an inventory of the online services you use. See what their official announcements say.
- Don’t have an easy list? Install LastPass and it will pull out all the passwords you have saved in your browser, and keep track of sites you visit in the future.
- Once a service has confirmed they applied the fix, change your password there.
Do all of the above, AND:
- Check your credit card statements and bank statements for unauthorized activity, in case someone stole your banking password.
- Sign up at a site like Credit Karma that offers free credit monitoring, and check it once a month for the next 18 months.
Do all of the above, AND:
- Place a fraud alert on your credit report. (This has the added benefit of cutting down on your junk mail.)
- Make a security plan for your digital assets that includes rotating your passwords on a regular basis, using different passwords for different sites, etc. Again, a service like LastPass can greatly help with this.
Although Heartbleed sounds pretty scary, you can protect yourself from the after-effects, and the actual window of vulnerability for most services will probably be just a few days. My highest recommendation is (1) check with your bank, insurance company, email provider, etc. if they’ve applied the fix for their website, and (2) once they have, change your password there. Everything after that is a “nice-to-have” security-wise, but not absolutely essential.
If you have any more questions, or if you’re technically-minded and thought of a protection step I may have missed, leave it in the comments below!